parameters:
  basePath: ''
  isOfficialBuild: ''
  timeoutInMinutes: ''

steps:
- ${{ if and(eq(parameters.isOfficialBuild, true), ne(variables['Build.Reason'], 'PullRequest'), or(startswith(variables['Build.SourceBranch'], 'refs/heads/release/'), startswith(variables['Build.SourceBranch'], 'refs/heads/internal/release/'))) }}:
  - task: UseDotNet@2
    displayName: Install .NET 6 SDK for signing.
    inputs:
      packageType: 'sdk'
      version: '6.0.x'
      installationPath: '$(Agent.TempDirectory)/dotnet'

  - task: EsrpCodeSigning@4
    displayName: Sign Diagnostic Binaries
    inputs:
      ConnectedServiceName: 'dotnetesrp-diagnostics-dnceng'
      FolderPath: ${{ parameters.basePath }}
      Pattern: |
        **/mscordaccore*.dll
        **/mscordbi*.dll
      UseMinimatch: true
      signConfigType: 'inlineSignParams'
      inlineOperation: >-
        [
          {
            "keyCode": "CP-471322",
            "operationCode": "SigntoolSign",
            "parameters": {
              "OpusName": "Microsoft",
              "OpusInfo": "http://www.microsoft.com",
              "PageHash": "/NPH",
              "FileDigest": "/fd sha256",
              "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
            },
            "toolName": "sign",
            "toolVersion": "1.0"
          },
          {
            "KeyCode": "CP-471322",
            "OperationCode": "SigntoolVerify",
            "Parameters": {},
            "ToolName": "sign",
            "ToolVersion": "1.0"
          }
        ]
      SessionTimeout: ${{ parameters.timeoutInMinutes }}
      MaxConcurrency: '50'
      MaxRetryAttempts: '5'
      PendingAnalysisWaitTimeoutMinutes: '5'
    env:
      DOTNET_MULTILEVEL_LOOKUP: 0
      DOTNET_ROOT: '$(Agent.TempDirectory)/dotnet'
      DOTNET_MSBUILD_SDK_RESOLVER_CLI_DIR: '$(Agent.TempDirectory)/dotnet'

  - powershell: |
      $filesToSign = $(Get-ChildItem -Recurse ${{ parameters.basePath }} -Include mscordaccore*.dll, mscordbi*.dll)
      foreach ($file in $filesToSign) {
        $signingCert = $(Get-AuthenticodeSignature $file).SignerCertificate
        if ($signingCert -eq $null)
        {
          throw "File $file does not contain a signature."
        }

        if ($signingCert.Subject -ne "CN=.NET DAC, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" `
            -or $signingCert.Issuer -ne "CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")
        {
          throw "File $file not in expected trust chain."
        }

        $certEKU = $signingCert.Extensions.Where({ $_.Oid.FriendlyName -eq "Enhanced Key Usage" }) | Select -First 1

        if ($certEKU.EnhancedKeyUsages.Where({ $_.Value -eq "1.3.6.1.4.1.311.84.4.1" }).Count -ne 1)
        {
          throw "Signature for $file does not contain expected EKU."
        }

        Write-Host "$file is correctly signed."
      }
    displayName: Validate diagnostic signatures
